Cannot use Advanced Rest Client with Letsencrypt Websites because throws: sslv3 alert handshake failure

nacesprin · March 7, 2019, 2:52pm

My domain is: https://dev.www.triunfamos.com

I ran this command: I use Advanced Rest Client ( https://install.advancedrestclient.com/install ) and call to my domain

It produced this output:

### The requested URL can't be reached
The service might be temporarily down or it may have moved permanently to a new web address.
140278599439040:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO sslv3 alert handshake failure:../../vendor/node/deps/openssl/openssl/ssl/s23_clnt.c:802:

If I use this website: https://apitester.com/ to call to my URL it works fine
But with this one it fails too: https://client.restlet.com/ throwing the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): ubuntu 16

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.26.1

Osiris · March 7, 2019, 8:08pm

That’s because the default options for the nginx installer plugin is to disable SSLv3.

It is adviced to disable SSLv3 because of security flaws in the protocol. It was deprecated in June 2015 by RFC 7568. In 2014, SSL 3.0 was found to be vulnerable to the POODLE attack that affects all block ciphers in SSL; RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[18]

You could enable SSLv3, but I would strongly advice against it.

The reason restlet.com doesn’t work is probably because they’re using an old version of Java.

jmorahan · March 7, 2019, 9:04pm

Hmm. Somehow I don’t think it’s simply due to SSLv3 - I happen to have Advanced Rest Client installed, and it connects just fine to my own home server, which only speaks TLS 1.2 and of course also uses a Let’s Encrypt certificate. Sure enough though, I get that same error when trying to connect to https://dev.www.triunfamos.com.

… opens wireshark …

I think the problem might be a mismatch of supported elliptic curves. What is ssl_ecdh_curve set to in your nginx configuration?

Osiris · March 7, 2019, 9:18pm

Well, I tested with OpenSSLs s_client and its -sslv3 option, which refuses to connect to https://dev.www.triunfamos.com/ .

The site only supports secp384r1 but that shouldn't be a problem.

Actually, the site is configured pretty well: SSL Server Test: dev.www.triunfamos.com (Powered by Qualys SSL Labs)

jmorahan · March 7, 2019, 9:20pm

Well, sure, SSLv3 won’t work. But Advanced Rest Client does support TLS 1.2.

Osiris · March 7, 2019, 9:22pm

Useless OpenSSL error message, it is.

jmorahan · March 7, 2019, 9:23pm

Maybe it shouldn't, but I'm looking at the handshake in Wireshark and I'm only seeing secp256r1 being offered by ARC.

nacesprin · March 7, 2019, 9:23pm

Thanks people for your support.

I had disabled some time ago SSLv3: https://www.cdn77.com/tls-test?domain=dev.www.triunfamos.com

|TLS 1.3|NO|
|TLS 1.2|YES|
|TLS 1.1|NO|
|TLS 1.0|NO|
|SSLv3|NO|
|SSLv2|NO|

@jmorahan How do I check what is ssl_ecdh_curve set?

jmorahan · March 7, 2019, 9:24pm

uhhh… beyond “grep your nginx config”, I’m not sure, sorry. I’m more of an Apache guy

nacesprin · March 7, 2019, 9:25pm

I’m a bit confused. What is the next step I need to check or show to you?

nacesprin · March 7, 2019, 9:26pm

@jmorahan
root@profuniv-desa:/etc/nginx# grep ssl_ecdh_curve *
grep: conf.d: Is a directory
grep: geoip: Is a directory
grep: sites-available: Is a directory
grep: sites-available.BAK: Is a directory
grep: sites-enabled: Is a directory
grep: snippets: Is a directory
grep: ssl: Is a directory

jmorahan · March 7, 2019, 9:27pm

try:
grep -r ssl_ecdh_curve /etc/nginx

nacesprin · March 7, 2019, 9:27pm

@jmorahan

root@profuniv-desa:/etc/nginx# grep -r ssl_ecdh_curve *
snippets/ssl_letsencrypt.conf:ssl_ecdh_curve secp384r1;

jmorahan · March 7, 2019, 9:29pm

Okay so try editing the file snippets/ssl_letsencrypt.conf and changing that line from:
ssl_ecdh_curve secp384r1;
to:
ssl_ecdh_curve auto;
or possibly just delete the line entirely.

Osiris · March 7, 2019, 9:29pm

Uch, seriously? IMHO that's a flaw from ARC..

nacesprin · March 7, 2019, 9:36pm

changed to ssl_ecdh_curve auto;

root@profuniv-desa:/etc/nginx# nginx -t
nginx: [emerg] Unknown curve name "auto" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed

Suggestion (some sites):
Don’t works: https://www.cdn77.com/tls-test?domain=dev.www.triunfamos.com
DO works: https://www.cdn77.com/tls-test?domain=www.cdimarbella.com
DO works: https://www.cdn77.com/tls-test?domain=www.aulafacil.com (NO letsencript)

jmorahan · March 7, 2019, 9:37pm

Yeah sorry I misread the documentation, auto was added in a later nginx version than the one you’re running. Try just deleting the line entirely.

nacesprin · March 7, 2019, 9:40pm

YOU ARE THE FUCKING MASTER.

It worked by deleting the entire line.

So… the question is: Is the change favorable or worst?

Osiris · March 7, 2019, 9:43pm

auto only works since nginx 1.11.0.

Try:

ssl_ecdh_curve prime256v1:secp384r1;

That might be the default for your nginx version by the way. The docs say the current default is "auto", but that wouldn't be the default of your version obviously.

nacesprin · March 7, 2019, 9:45pm

root@profuniv-desa:/etc/nginx# nginx -t
nginx: [emerg] Unknown curve name "prime256v1:secp384r1" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed